An EHR Systems Check-Up: 3 Use Cases for Updating Cyber Hygiene

Have you ever wondered how much your patient health record could garner on the black market? Whereas a cybercriminal only needs to shell out a mere dollar for your social security number, your electronic health record (EHR) is likely to sell for something closer to the tune of $50.

This is according to research firm Cybersecurity Ventures, who also projects healthcare cybersecurity spending to reach a cumulative $65 billion globally between the years 2017 and 2021. The healthcare industry has to shell out so much of their budget toward cybersecurity because of a few areas in which its systems are severely lacking.

Challenges in Healthcare Cybersecurity

This year’s Verizon Data Breach Investigations Report found that healthcare is the only vertical suffering from more insider breaches than external breaches. It’s not that doctors and nurses are spending their days slinging EHR files on the dark web: Much of the insider threat in healthcare is about a lack of basic cyber hygiene.

Doctors put years of their life toward becoming medical experts, but the digitized nature of the systems they interact with daily demands that their training include a basic understanding of cybersecurity, as well — and they’re by and large not getting that training. And security teams at healthcare organizations are often lacking the tools and solutions they need to maintain HIPAA compliance, reduce the overall attack surface of their systems, and continuously monitor for vulnerabilities.

Let’s take a look at three use cases for dealing with some of the most pressing cybersecurity issues faced by the healthcare industry today.

1. Achieving System Hardening and Standards Alignment

Problem: You don’t use an internal hardened build standard to verify against your current state.

Solution: Align with and implement a known and trusted standard as soon as possible.

To continuously monitor your systems for vulnerabilities, you need to first establish a secure baseline. You can then compare changes to that baseline and investigate any relevant vulnerabilities. Ideally, baseline evaluation begins at the same time that assets are created. But it’s often the case that you need to define your baseline once your systems are already experiencing traffic.

In either case, you’ll need to map to an established external framework — or several frameworks at once. These frameworks include HITRUST, NIST, DISA, CIS and HIPAA. Some, like the CIS controls (that’s Center for Internet Security) aren’t legally-mandated frameworks. They serve instead as invaluable step-by-step guides to help you secure your systems.

Compliance with other frameworks, like HIPAA, are enforced by rigorous audits. Once you’ve targeted the standards you need to align with, find a solution like Tripwire Enterprise that gives you:

2. Automating the Review of EHR Change Data

Problem: No automation in the review of changes to patient data and electronic records.

Solution: Use a solution that reports on key EHR record changes – patient, financial and insurance.

EHRs contain your medical information and history, but also your financial and insurance details — one of the reasons patient data is in such high demand amongst cybercriminals. Implement health record monitoring solutions for MSSQL, Oracle and DB2 to help you capture changes in scope, processes and jobs. Leverage your existing processes and implement robust change and security configuration management solutions.

Make sure you have identified exactly what records are in scope and how detailed your visibility is when it comes to liability for patient data.

3. Visibility into Access Privileges

Problem: It’s unclear who has access to the systems in scope for EHR and the changes they make.

Solution: Develop processes and training around building system-wide situational awareness.

Between the hundreds or thousands of employees, contractors and vendors who touch your systems, any lack in visibility creates a higher risk for unchecked privilege escalation (remember those disproportionate insider threats?), which can become very problematic very quickly when individuals become curious about health records they shouldn’t be privy to.

Make sure you’re using a solution that helps you adhere to the following steps to keep EHR data in the right hands only:

Also, Tripwire is hosting a webcast with Mercy Health, a major Midwestern hospital system, and Tripwire customer since 2013. Attend this webcast to learn how Mercy Health integrated its people, processes, and technology to establish foundational cyber hygiene and protect its data from cyberattacks.

Using Tripwire technology, they created a successful IT service by integrating their ITSM tool, streamlining their reporting process and more. Hear from Mercy Health and Tripwire speakers as they explore the answers to critical healthcare security questions.

Earn a CPE credit for attending. And the first 50 attendees will earn a $5 Starbucks e-card!